Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
5
Helpful
4
Replies

ACE: as firewall and NAT. inbound and outbound originals

s.srivas
Level 1
Level 1

‎12-24-2008 03:31 AM

Hi Team,

This time no load balancing is required.

Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.

Both of our servers will work indipendently for this purpose.

I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.

Regards to all

SS

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎12-24-2008 06:49 AM

ACE will route by default if the traffic is permitted with an access-group.

So, there is nothing much to do if you just need basic routing.

TCP normalization is on by default, so you get the TCP protection.

You can then add per protocol inspection if needed.

G.

0 Helpful

s.srivas
Level 1
Level 1
In response to Gilles Dufour

‎12-24-2008 07:56 AM

Thanks G,

The internal servers use private IP address hence need to do NAT on the ACE (previouly it was done by FWSM).

The traffic originates from internal and also from internet.

NAT in both direction is needed.

Static Destination NAT for EACH server can be used if originating in Internet.

What NAT to use for the same serverS if they originate traffic towards internet?

Regards

SS

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to s.srivas

‎12-29-2008 06:35 AM

The idea is always the same.

Catch your traffic with a class-map, link the class-map to a policy that performs the needed action - ie: nat. Assign the policy to the inbound interface.

Here is an example:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

Gilles.

s.srivas
Level 1
Level 1
In response to Gilles Dufour

‎12-31-2008 11:03 AM

Gilles,

Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.

The above real server with private IP is now going to make a different connection to the internet. ie,

outbound traffic and related reply traffic need handling. (no load balancing planned).

Detination NAT, Static NAT sounds interesting

Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.

SS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents